Open Source Compliance for Security

OpenATO · Nov 7, 2024 · 2295ef5 · 2295ef5
1 parent 8ecc30e
commit 2295ef5
Show file tree

Hide file tree

Showing 13 changed files with 508 additions and 9 deletions.
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -91,6 +91,8 @@ GEM
       google-protobuf (~> 3.23)
     sass-embedded (1.69.5-x86_64-darwin)
       google-protobuf (~> 3.23)
+    sass-embedded (1.69.5-x86_64-linux-gnu)
+      google-protobuf (~> 3.23)
     terminal-table (3.0.2)
       unicode-display_width (>= 1.1.1, < 3)
     unicode-display_width (2.5.0)
@@ -112,4 +114,4 @@ DEPENDENCIES
   webrick (~> 1.8)
 
 BUNDLED WITH
-   2.5.6
+   2.5.23
diff --git a/_guide/resources.md b/_guide/resources.md
@@ -9,6 +9,16 @@ categories:
 
 ---
 
+## Code
+* [SSP Toolkit: Auto-generated System Security Plan](https://github.com/CivicActions/ssp-toolkit/)
+   * Originally based on OpenControl, this toolkit - created in 2018 - has been forked to create the SSP documentation achieving seven ATOs for three Federal Agencies, one of which took just two weeks.
+* [OSCAL Reusable Component Definitions Library](https://github.com/CivicActions/oscal-component-definitions)
+   * This is an early example of reusable OSCAL components. Work to do includes:
+      * Update from NIST SP 800-53 rev4 to rev5
+	  * Present ODP defaults as a Profile
+	  * Include plain language assessments
+
+## Papers
 * [Policy recommendations for improving the ATO process through Compliance as Code](https://medium.com/civicactions/policy-recommendations-for-improving-the-ato-process-through-compliance-as-code-524e3005fceb)
 * [ATO ASAP: Let’s finally fix the security compliance problem](https://www.nextgov.com/modernization/2021/02/ato-asap-lets-finally-fix-the-security-compliance-problem/258357/) (*FCW*)
 * [Rethinking the process of attaining ATOs](https://www.youtube.com/watch?v=C9WAhI3cXb0) (*Government Matters*)
diff --git a/_posts/2024-09-03-open-security.md b/_posts/2024-09-03-open-security.md
@@ -0,0 +1,21 @@
+---
+layout: post
+title:  "Open Source Compliance for Security"
+date:   2024-09-03 08:00:00 -0800
+description: Open Source Methods Essential for Modern System Security and Compliance
+author: fen-labalme
+categories: featured
+image: card-power.png
+---
+
+**BLUF:** We must adopt open source methods (transparency, collaboration, and collective intelligence) and widen the community and visibility of contributors to effectively manage the security, compliance, monitoring and assessment of (FISMA reportable) information systems in the continuously evolving cybersecurity landscape.
+
+There is [growing effort](https://openssf.org/) to ensure the [security of systems built with open source software](https://www.whitehouse.gov/oncd/briefing-room/2024/08/09/fact-sheet-biden-harris-administration-releases-end-of-year-report-on-open-source-software-security-initiative-2/) or a supply chain dependence upon open source software. Riding the open source wave increases the speed at which new technologies can be incorporated into the CI/CD pipeline, bringing new features, greater accessibility and enhanced security. But security compliance and authorizations to operate are stuck in a decades old, manual process that is getting slower and more cumbersome as new technologies are brought to bear. (ref: NIST’s [AI Risk Management Framework](https://www.nist.gov/itl/ai-risk-management-framework) with 74 new controls released July 2024.)
+
+The OpenATO community is creating a collection of open source digital public goods that provide an essential, flexible and eventually comprehensive baseline for ensuring the security of systems. An open source, collaboratively maintained library of implementation and assessment tools is necessary to manage systems security compliance in this modern era.
+
+No single entity can stay abreast of the continuously evolving digital landscape, from document management to development environments and hosting platforms where bad actors are employing ever more sophisticated attack vectors, or may simply take advantage of improper configuration.
+
+To manage the testing of systems for cybersecurity compliance, the Department of Defense (DoD) has developed a series of Security Technical Implementation Guides (STIGs) for different applications and systems. Automated scanners employing the Security Content Automation Protocol (SCAP) can read these STIGs and test system configuration to ensure it is in compliance with best practices. But STIGs and SCAP only test static configuration compliance, and often lag well behind real world best practices. There is a clear need to enhance cybersecurity collaboration, following the best practices of open source software communities.
+
+Until now, such cooperation/collaboration would have been problematic, as there was no common language for expressing control implementation statements and assessment processes/evidence collection. Everything has been managed manually and ad hoc, using e.g. Word and Excel documents, often converted to (even more static) PDF format for delivery to assessment officers. Fortunately, NIST is proposing the Open Security Controls Assessment Language (OSCAL), a machine readable, data centric _lingua franca_ that can express existing as well as emerging security vulnerabilities and mitigations.
diff --git a/_site/assets/css/uswds-theme.css b/_site/assets/css/uswds-theme.css
diff --git a/_site/assets/css/uswds-theme.css.map b/_site/assets/css/uswds-theme.css.map
diff --git a/_site/guide/introduction.html b/_site/guide/introduction.html
@@ -262,7 +262,7 @@ <h1>Introduction</h1>
 
 <p>Technology platforms are continuously evolving, CVEs are growing at 20% a year, and threats are increasing probably faster. No single group (contractor or agency) is up to the task of staying abreast of all the changes, yet we must. A path forward is to open the process up to community collaboration so that all can benefit from the updates made at the edges by other parties.</p>
 
-<p>The platform needs to be open to encourage sharing. Catalog baselines, agency Profiles and system Components should contain little or no sensitive information. Even SSPs and Assessment Plans can, for the most part, be open and shared. (Of course, the Assessment Results containing system vulnerabilities and POA&amp;Ms may be sensitive.) The goal is to slowly trim-tab the ship toward a fluid, evolving ecosystem of assertions and tests (covering the inventory of hardware, software, policy and processes) and away from static “paper” SSPs/ATOs.</p>
+<p>The platform needs to be open to encourage sharing. Catalog baselines, agency Profiles and system Components often contain little or no sensitive information and can easily be shared. Even SSPs and Assessment Plans can, for the most part, be open and shared. (Of course, the Assessment Results containing system vulnerabilities and POA&amp;Ms may be sensitive.) The goal is to slowly trim-tab the ship toward a fluid, evolving ecosystem of assertions and tests (covering the inventory of hardware, software, policy and processes) and away from static “paper” SSPs/ATOs.</p>
 
             </main>
         </div>
@@ -290,7 +290,7 @@ <h1>Introduction</h1>
 
 
 <!--  // Date not working
-     &nbsp; &middot; &nbsp; Last updated: March 29, 2024 at 03:46 PM 
+     &nbsp; &middot; &nbsp; Last updated: April 16, 2024 at 11:39 AM 
 -->
 
       </p>

diff --git a/_site/guide/resources.html b/_site/guide/resources.html
@@ -258,7 +258,28 @@
 
                 <h1>Resources</h1>
 
-                <ul>
+                <h2 id="code">Code</h2>
+<ul>
+  <li><a href="https://github.com/CivicActions/ssp-toolkit/">SSP Toolkit: Auto-generated System Security Plan</a>
+    <ul>
+      <li>Originally based on OpenControl, this toolkit - created in 2018 - has been forked to create the SSP documentation achieving seven ATOs for three Federal Agencies, one of which took just two weeks.</li>
+    </ul>
+  </li>
+  <li><a href="https://github.com/CivicActions/oscal-component-definitions">OSCAL Reusable Component Definitions Library</a>
+    <ul>
+      <li>This is an early example of reusable OSCAL components. Work to do includes:
+        <ul>
+          <li>Update from NIST SP 800-53 rev4 to rev5</li>
+          <li>Present ODP defaults as a Profile</li>
+          <li>Include plain language assessments</li>
+        </ul>
+      </li>
+    </ul>
+  </li>
+</ul>
+
+<h2 id="papers">Papers</h2>
+<ul>
   <li><a href="https://medium.com/civicactions/policy-recommendations-for-improving-the-ato-process-through-compliance-as-code-524e3005fceb">Policy recommendations for improving the ATO process through Compliance as Code</a></li>
   <li><a href="https://www.nextgov.com/modernization/2021/02/ato-asap-lets-finally-fix-the-security-compliance-problem/258357/">ATO ASAP: Let’s finally fix the security compliance problem</a> (<em>FCW</em>)</li>
   <li><a href="https://www.youtube.com/watch?v=C9WAhI3cXb0">Rethinking the process of attaining ATOs</a> (<em>Government Matters</em>)</li>

diff --git a/_site/index.html b/_site/index.html
@@ -304,6 +304,10 @@ <h3 class="usa-card__heading"><a href="/people/fen-labalme">Fen Labalme</a></h3>
 <div class="grid-container">
     <h2>News</h2>
 
+        <h3><a href="/posts/open-security">Open Source Compliance for Security</a></h3>
+    <p>Open Source Methods Essential for Modern System Security and Compliance</p>
+    <p><em>September 3, 2024</em></p>
+
         <h3><a href="/posts/cybersecurity-notes">Cybersecurity: Open and Transparent</a></h3>
     <p>Data Centricity is key.</p>
     <p><em>March 11, 2024</em></p>

diff --git a/_site/news/index.html b/_site/news/index.html
@@ -202,6 +202,10 @@ <h1>News</h1>
           <p class="lead">Latest OpenATO news.</p>
 
 
+<h2><a href="/posts/open-security">Open Source Compliance for Security</a></h2>
+<p>Open Source Methods Essential for Modern System Security and Compliance</p>
+<p><em>September 3, 2024</em></p>
+
 <h2><a href="/posts/cybersecurity-notes">Cybersecurity: Open and Transparent</a></h2>
 <p>Data Centricity is key.</p>
 <p><em>March 11, 2024</em></p>

diff --git a/_site/people/fen-labalme.html b/_site/people/fen-labalme.html
@@ -221,6 +221,8 @@ <h2>Connect</h2>
                         <h2>Posts</h2>
                         <ul>
 
+                            <li><a href="/posts/open-security">Open Source Compliance for Security</a>, September 3, 2024</li>
+
                             <li><a href="/posts/cybersecurity-notes">Cybersecurity: Open and Transparent</a>, March 11, 2024</li>
 
                             <li><a href="/posts/policy-recomendations-for-improving-the-ato-process">Policy recommendations for improving the ATO process through Compliance as Code</a>, February 16, 2021</li>

diff --git a/_site/posts/day-one-project.html b/_site/posts/day-one-project.html
@@ -215,7 +215,7 @@ <h1 class="font-heading-3xl">Day One Project: Compliance as Code and Improving t
             </div>
             <div class="grid-col-9">
                 <div class="post-content">
-                    <p>We co-wrote a white paper for Day One Project focused on improving the ATO Process. The authors included CivicAction’s Fen Labalme and Mary Lazzeri and GovReady’s Dayton Williams and Greg Elin.</p>
+                    <p>We co-wrote a white paper for Day One Project focused on improving the ATO Process. The authors included CivicAction’s Fen Labalme and Mary Lazzeri and GovReady’s Greg Elin and Dayton Williams.</p>
 
 <p>Full post: <a href="https://fas.org/publication/compliance-as-code-and-improving-the-ato-process/">Day One Project: Compliance as Code and Improving the ATO Process</a></p>
 
@@ -260,7 +260,7 @@ <h1 class="font-heading-3xl">Day One Project: Compliance as Code and Improving t
 
 
 <!--  // Date not working
-     &nbsp; &middot; &nbsp; Last updated: March 29, 2024 at 03:46 PM 
+     &nbsp; &middot; &nbsp; Last updated: April 16, 2024 at 11:39 AM 
 -->
 
       </p>